SANS has released the first draft of the Consensus Audit Guidelines (CAG) , a list of the 20 top controls recommended by top Federal security experts. For each control, the guidance provides the audit tests needed to be taken to verify each control. The CAG is available at SANS.
The ISC2 reviewed the SANS guidelines, concluding that 20 formulaic controls might not be the answer to ongoing security concerns. Rather, organizations should apply controls tailored to their specific needs based on ongoing risk assessment. ISC2 was also critical that the CAG does not explicitly tie to existing guidance, does not providing supporting data as to why and when to use the controls, and does not include metrics for measuring each control's effectiveness.
For an alternative opinion, see Wyatt Cash's March 6 article in Government Computer News. His stand: While the CAG doesn't replace a rigourous framework like Sp 800-53, it does provide decision makers with a list of priorties. That is to say, it's a good place to start. "We have high regard for NIST’s work. However, the problem for organizations trying to follow NIST’s guidelines amid today’s increasing cyberthreats is akin to confronting a raging new pandemic with an encyclopedic field guide to holistic health care."
►
Monday, March 2, 2009
Subscribe to:
Post Comments (Atom)
Posts
0 comments:
Post a Comment